< Back to all clusters
[TECHNOLOGY] · 4 sources

Linux KVM “Januscape” VM Escape and GhostLock Vulnerabilities Patched

Two high‑severity Linux kernel bugs have been disclosed and patched. The Januscape vulnerability (CVE‑2026‑53359) is a use‑after‑free flaw in the Kernel‑Based Virtual Machine (KVM) hypervisor that lets an attacker with root access inside a guest VM execute code on the host or cause a denial‑of‑service across co‑tenants. The flaw, present for about 16 years, affects Intel and AMD x86 platforms and threatens public‑cloud providers and any environment that relies on KVM isolation.

The second flaw, dubbed GhostLock (CVE‑2026‑43499), resides in the kernel’s futex priority‑inheritance implementation. It permits a low‑privilege user to gain root by exploiting a dangling pointer, a bug that went unnoticed for roughly 15 years. Both vulnerabilities have been patched in the mainline Linux kernel, and users are urged to upgrade promptly. The Januscape discovery earned a $250,000 Google bounty; GhostLock earned $92,337. Security researchers emphasized the critical need for immediate remediation in multi‑tenant cloud infrastructures.